Developer says gamers needn’t ‘avoid the current builds’ despite rumors of a malware threat

Counter-Strike: Global Offensive signboard

The source code for two popular online video games – Team Fortress 2 and Counter-Strike: Global Offensive (CS:GO) – has reportedly been leaked online, prompting speculation that the code could be abused to develop malicious exploits.

However, the games’ developer, Washington-based Valve Corporation, said it found no “reason for players to be alarmed or avoid the current builds”, since the code in question dates back to 2017 and was previously leaked in 2018.

The source code was dumped onto torrent sites yesterday (April 22), according to a tweet posted on the same day by Steam Database, a third-party source of real-time usage data on Steam, Valve’s digital distribution service.

Steam Database tweet

A few hours later the CS:GO Twitter account tweeted: “We have reviewed the leaked code and believe it to be a reposting of a limited CS:GO engine code depot released to partners in late 2017, and originally leaked in 2018.

“From this review, we have not found any reason for players to be alarmed or avoid the current builds.

They added that “playing on the official servers is recommended for greatest security”.

The thread also directed anyone with information about the leak to Valve’s security page.

Players of Team Fortress 2 were given the same reassurances in a tweet from that game’s Twitter account earlier today (April 23).

Team Fortress tweet

However, on April 22, a moderator on a Team Fortress 2 subreddit urged gamers to “hold off playing [until] this problem has been resolved”, claiming that “multiplayer matches” were at particularly high risk from malware.

Screenshots and videos have circulated online purporting to show Remote Code Execution (RCE) exploits based around the leaked code, “but could just as easily be faked”, Chris Boyd, lead malware intelligence analyst at Malwarebytes, told The Daily Swig.

“Valve’s suggestion to stick to official servers is the best advice for now besides simply not playing the game and/or avoiding mods until the leak is addressed,” he said, adding that Valve’s anti-cheat system could potentially block “dubious files or hack attempts”.

YOU MIGHT ALSO LIKE Hack and slash: Cloud-based video games model opens up fresh security risks

Boyd suggested that some affected Valve titles may have had few updates since the leak, “similar to how some MMORPG titles go into a form of ‘maintenance mode’.

“In that situation, it may be tricky to find programmers who can get into the guts of the games and ensure everything is locked down.”

However, he added: “One ‘benefit’ of public facing entities having their code stolen is it’s almost impossible to keep it quiet, which often means limited impact.”

In a YouTube video posted yesterday, Valve News Network appeared to claim that a disgruntled former team member was the source of the leak.

Despite the malware fears, the number of people concurrently playing CS:GO and Team Fortress 2 has peaked at around 1.2 million and around 71,500 respectively in the last 24 hours, according to STEAMCHARTS.

On March 15 the Steam Database revealed that a record numbers of gamers – more than 20 million – were playing games on Steam simultaneously as growing numbers stayed at home due to Covid-19.

With the $152 billion gaming sector an increasingly lucrative target for cybercrooks, Valve Corporation is one of a growing number of game developers to launch bug bounty programs in order to remediate security flaws.

The Daily Swig has contacted Valve Corporation for further comment.

RELATED US man who broke into Nintendo’s systems to steal games and console secrets pleads guilty